The North Korean threat actor Andariel [1] [3] [5] [6], a sub-cluster of the Lazarus Group [1] [3] [5], has been conducting cyber attacks on organizations in South Korea for over a decade. This group primarily targets financial institutions, defense contractors [1] [3] [5], government agencies [1] [3] [5], universities [1] [3] [5], cybersecurity vendors [1] [3] [5], and energy companies [1] [3] [5].

Description

Andariel utilizes various malicious tools, including malware strains developed in the Go programming language [3] [5] [6], as reported by the AhnLab Security Emergency Response Center (ASEC) in a deep dive analysis [6]. Their attacks involve spear-phishing [1], watering holes [1] [3], and supply chain attacks to deliver different malicious payloads [1]. Notably, they have used malware families such as Gh0st RAT [1], DTrack [1] [2] [3] [4] [5], Goat RAT [1] [3] [5], Black RAT [1] [3] [5], and DurianBeacon for specific malicious tasks [1]. Additionally, Andariel has modified the DTrack malware and introduced a new ransomware called Maui. The group deploys the DTrack malware, created by the Lazarus Group [4], to upload and download files [2] [4], record keystrokes [2] [4], and perform other malicious actions [2] [4]. This malware also collects system information and browser history [2].

Andariel has recently exploited security flaws in Innorix Agent and Zoho ManageEngine ServiceDesk Plus to distribute backdoors and a Golang-based reverse shell. In a specific attack in February 2023, they exploited security flaws in Innorix Agent to distribute backdoors such as Volgmer and Andardoor [5], as well as a Golang-based reverse shell called 1th Troy [5].

The group’s attacks have shifted from national security-focused campaigns to financially motivated activities [1]. Andariel is one of the active threat groups targeting Korea [3] [5], with a focus on financial gains rather than national security [3] [5]. It is worth noting that North Korean actors have also been implicated in campaigns targeting open-source repositories to poison the software supply chain [3].

Kaspersky experts have discovered these new attacks by Andariel [2] [4], confirming their ongoing activities and expanding reach. The group is opportunistic and may target any company worldwide [2], with a particular focus on their financial standing.

Conclusion

The activities of Andariel, a sub-cluster of the Lazarus Group [1] [3] [5], pose a significant threat to organizations in South Korea. Their attacks target a wide range of sectors, including financial institutions [1] [3] [5], defense contractors [1] [3] [5], government agencies [1] [3] [5], universities [1] [3] [5], cybersecurity vendors [1] [3] [5], and energy companies [1] [3] [5]. It is crucial for these organizations to implement robust cybersecurity measures to mitigate the risk posed by Andariel and similar threat actors. Additionally, the targeting of open-source repositories to poison the software supply chain highlights the need for increased vigilance and security measures in this area. As Andariel continues to expand its reach and target companies worldwide, it is essential for organizations to remain proactive in their cybersecurity efforts to protect their financial standing and sensitive information.

References

[1] https://cybermaterial.com/north-korean-andariels-cyber-campaign/
[2] https://backendnews.net/lazarus-subgroup-expands-attacks-with-new-ransomware/
[3] https://thehackernews.com/2023/09/researchers-warn-of-cyber-weapons-used.html
[4] https://www.thetechnivore.com/andariel-a-lazarus-subgroup-expands-its-attacks-with-new-ransomware/
[5] https://vulners.com/thn/THN:1A9ADEF42BDF698ED08DDC9B95E5B9B9
[6] https://www.linkedin.com/posts/wdevault_researchers-warn-of-cyber-weapons-used-by-activity-7104808500165283840-8rLw